A recent discovery has unveiled a sophisticated and fully undetected batch script capable of delivering the powerful malware families XWorm and AsyncRAT.
This script, which remained undetected on VirusTotal for over two days, employs advanced obfuscation techniques and leverages PowerShell and Visual Basic to execute its multi-stage infection chain.
The campaign highlights the growing threat posed by stealthy malware loaders that evade traditional antivirus solutions.
According to the VMRay post shared on X, the batch script uses a combination of obfuscation and automation to bypass detection. It begins by executing a PowerShell loader, which decodes and decrypts its payload using AES-256 encryption.
The decrypted payload connects to a Command-and-Control (C2) server hosted via Telegram, where it uploads system information, including:
- Device ID
- Hardware ID (HWID)
- Public IP address and country
- Username and computer name
- Antivirus information
Additionally, the script captures a screenshot of the victim’s system and sends it to the attacker via Telegram.
This functionality is achieved using PowerShell commands embedded within the batch file. The script’s coding style suggests it may have been generated using AI tools like ChatGPT or Claude, adding an additional layer of complexity for analysts attempting to trace its origins.
Payload Delivery: XWorm and AsyncRAT
XWorm is a Remote Access Trojan (RAT) known for its versatility and destructive capabilities.
It can steal sensitive data (e.g., login credentials), deploy ransomware, launch Distributed Denial-of-Service (DDoS) attacks, monitor webcams and keystrokes, spread via USB drives and execute commands remotely.
XWorm achieves persistence by modifying registry entries and bypassing Windows Defender using techniques such as disabling AMSI (Antimalware Scan Interface).
AsyncRAT is another powerful RAT that provides attackers with remote control over infected systems. Its features include screen viewing/recording, keylogging, file upload/download, command execution and disabling security software.
AsyncRAT uses process hollowing to inject itself into legitimate processes, further evading detection.
The batch script employs heavy obfuscation using tools like UTF-16 encoding and junk code insertion to hinder analysis.
It also leverages open-source batch obfuscators, making the script nearly unreadable while maintaining its functionality.
For example, the PowerShell loader is hidden within multiple layers of encoding, making it challenging for static analysis tools to detect malicious activity.
The fully undetected nature of this batch script underscores the evolving threat landscape where attackers increasingly rely on advanced evasion techniques.
By leveraging Telegram as a C2 channel, attackers can maintain anonymity while exfiltrating data. The use of AI-generated code further complicates attribution efforts.
Recommendations
To mitigate such threats:
- Use behavior-based detection systems capable of identifying unusual activities like unauthorized PowerShell execution.
- Look for connections to suspicious IPs or domains, including Telegram-based C2 servers.
- Train employees to recognize phishing emails that often serve as the initial infection vector.
- Regularly update antivirus software to detect emerging threats like XWorm and AsyncRAT.
- Stay informed about new malware campaigns and incorporate Indicators of Compromise (IOCs) into your security stack.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
